Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for
decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack
has been, for decades, far easier than cyber defense.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Security is now important to all of us, not just people who work at Facebook. Most developers think about security in terms of security technologies that they want to apply to their systems, and then ask how secure the system is. From a secure systems perspective, this is the wrong way around. To build a secure system, you need to start from the things that need to be protected and the threats to those resources.
In this session, Eoin dives into the fundamentals of system security to introduce the topics we need to understand in order to decide how to secure our systems.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
Despite changing threats and the near certainty of compromise, most
IT security programs are much the same as they were a decade ago. How
have attacker motivations and tactics changed, and why? What does
this mean for IT security departments, and how must they adapt?
This webinar will detail the security challenges organizations face
today, the implications of changes in attacker tactics and
motivations, and what firms can do to better align their security
program with today's reality.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Colby Clark, Director of Incident Management, Fishnet Security
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Security is now important to all of us, not just people who work at Facebook. Most developers think about security in terms of security technologies that they want to apply to their systems, and then ask how secure the system is. From a secure systems perspective, this is the wrong way around. To build a secure system, you need to start from the things that need to be protected and the threats to those resources.
In this session, Eoin dives into the fundamentals of system security to introduce the topics we need to understand in order to decide how to secure our systems.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
Despite changing threats and the near certainty of compromise, most
IT security programs are much the same as they were a decade ago. How
have attacker motivations and tactics changed, and why? What does
this mean for IT security departments, and how must they adapt?
This webinar will detail the security challenges organizations face
today, the implications of changes in attacker tactics and
motivations, and what firms can do to better align their security
program with today's reality.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Colby Clark, Director of Incident Management, Fishnet Security
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
How to (Not) Get Hacked - A Webinar by Greg Shields that discusses how activities such as Network Scanning, Vulnerability Scanning and Patch Management can ensure that your Network Security never gets breached.
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
It’s 3AM. Do you know what your servers are doing? In this age of increased attacks and highly publicized vulnerabilities, deploying your infrastructure in a secure way is mission critical. In this session, Aaron Hackney and Major Hayden from Rackspace will reveal security strategies to focus your spending and reduce your risk.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
Media Conglomerate Chooses Lastline For Advanced Malware Protection
Industry: Mass Media
Company: A national media company serving a global audience
Description: Media organization focused on providing business news
Challenge: Provide protection against advanced threats that elude standard virus protection systems
Solution: Lastline Enterprise Hosted
Results: Fill void in security portfolio and protect both company and user base from advanced persistent threats, zero-day attacks, and evasive malware
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper.
Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company.
Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data.
For more information, please visit https://dragos.com/neighborhood-keeper/
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, JTAC, Computer vision, NSIN
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
Disaster recovery, emergency response and business continuity plans are usually developed when no disaster exists. We think we’ve covered all contingencies. We think we’ve trained all the appropriate players. We’ve tested. We’ve re-tested. We think we’re ready to face whatever event there is looming out their with our name on it! The real world has a nasty habit of triggering disasters at the least opportune time, often featuring a twist that throws plans into disarray.
This presentation focuses on three real-world plans, each of which with a fatal flaw. We will discuss elements that should be in a plan beyond the normal guidance from the Disaster Recovery Institute (DRI) and a set of actions that should be included in planning and preparation.
Alun Roberts presentation to Offshore WIND 2016 in Amsterdam on supply chain plans based on experience in the UK and lessons to be learnt across Europe
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
How to (Not) Get Hacked - A Webinar by Greg Shields that discusses how activities such as Network Scanning, Vulnerability Scanning and Patch Management can ensure that your Network Security never gets breached.
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
It’s 3AM. Do you know what your servers are doing? In this age of increased attacks and highly publicized vulnerabilities, deploying your infrastructure in a secure way is mission critical. In this session, Aaron Hackney and Major Hayden from Rackspace will reveal security strategies to focus your spending and reduce your risk.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
Media Conglomerate Chooses Lastline For Advanced Malware Protection
Industry: Mass Media
Company: A national media company serving a global audience
Description: Media organization focused on providing business news
Challenge: Provide protection against advanced threats that elude standard virus protection systems
Solution: Lastline Enterprise Hosted
Results: Fill void in security portfolio and protect both company and user base from advanced persistent threats, zero-day attacks, and evasive malware
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper.
Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company.
Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data.
For more information, please visit https://dragos.com/neighborhood-keeper/
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, JTAC, Computer vision, NSIN
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
Disaster recovery, emergency response and business continuity plans are usually developed when no disaster exists. We think we’ve covered all contingencies. We think we’ve trained all the appropriate players. We’ve tested. We’ve re-tested. We think we’re ready to face whatever event there is looming out their with our name on it! The real world has a nasty habit of triggering disasters at the least opportune time, often featuring a twist that throws plans into disarray.
This presentation focuses on three real-world plans, each of which with a fatal flaw. We will discuss elements that should be in a plan beyond the normal guidance from the Disaster Recovery Institute (DRI) and a set of actions that should be included in planning and preparation.
Alun Roberts presentation to Offshore WIND 2016 in Amsterdam on supply chain plans based on experience in the UK and lessons to be learnt across Europe
Some thoughts on institutional repositories, annotations, comments, in a scholarly environment. Presented at Open Repositories 2008, University of Southampton
4 half day community engagement events in 4 villages asking local people about the proposed open cast mining in their area. We created a ‘drop in’ consultation space, with tables, postcards, posters, graffiti floor sheets and feedback cards. We also created the branding and identity and materials for the engagement. 4 classes of school children came and created postcards and pictures with their views.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Answer each question in one to two paragraphs.Question 1 .docxjustine1simpson78276
Answer each question in one to two paragraphs.
Question 1: Layered Network Defense
Network security has become a complicated topic due to the many types of threats to network information and systems. To defend against these threats, a layered network defense strategy must be utilized. What are the major components of a layered network defense model and what role does each of the layers play in the overall defense of the network against security threats?
Question 2: Risk Analysis
Properly securing a network is like building security around your home. You can invest a lot of money is security systems that defend against threats that do not exist in your neighborhood. The first step in developing good security is to understand what threats exist. What are the major security threats that exist for a typical company and how might they determine which threats present the most risk for them and their situation?
Question 3: Security Policy
Securing a network consists of much more than just installing the appropriate hardware and software. A company must have a good set of policies in place to help make the decisions necessary to properly implement their network security. Discuss the major components of a good security policy.
Question 4: Goals of Network Security
One size does not fit all with regards to network security. A company or organization must understand what they are trying to accomplish with their network security. These goals will help drive the decisions necessary to implement a good security system. List some examples of goals a company or organization might set for their security system and discuss what types of security they might use to achieve these goals.
Question 5: Intrusion Detection
Networks often contain valuable information and are the target of threats to acquire the information or damage the information. Intruders pose a significant threat to networks and the first step in thwarting intrusion is to understand when and how it is occurring. What are some of the ways intruders can be detected in a network and what can be done to reduce this network threat?
Question 6: Digital Signatures
One of the most difficult aspects of network security is identification. If all people and devices connected to the network could be identified during every network transmission, security would be greatly improved. Unfortunately, this is not an easy task. Digital signatures help in identification of network transmissions. Discuss how digital signatures work and what aspects of network security they enhance.
Question 7: Access Control Lists
A common method of gaining improved network security is to create a list of authorized users for all network resources. These lists are called Access Control Lists or ACLs. ACLs are like airline reservations. You arrive at the gate and if you have a boarding pass, you can get on the plane. Without a boarding pass, you are left at the gate and the plane is off limits. Dis.
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
Data on the cloud is at high risk. It is at risk of tampering by outsiders. The vulnerable nature of the architecture of the cloud sets it up for the data to be exposed and compromised. The fact that most of the data is on public cloud allows unethical intruders (hackers) to view the database on any cloud architecture. Whether private, public, community, or hybrid, this is a "Honey Pot" or "Pot of Gold" hat intruders can use to wipe out data
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
My incident Response from Techfair 2016 in Jersey. The talk explores how incident response could to comply with the requirements set out in the Jersey Financial Services Commission Dear CEO letter on cyber security.
Using security to drive chaos engineering - April 2018Dinis Cruz
Presentation I delivered at ISSA UK "Application Security - London Chapter Meeting" https://www.eventbrite.co.uk/e/application-security-london-chapter-meeting-tickets-42284085839
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
Remotely Compromising iOS via Wi-Fi and Escaping the Sandboxmark-smith
It describes exactly how iOS devices can be remotely compromised over Wi-Fi without user interaction or complicity. iOS Wi-Fi attacks bypass all built in mitigations and sandboxes.
Applied Machine Learning for Data exfil and other fun topicsmark-smith
The goal of this presentation is to help researchers, analyst, and security enthusiast get their hands dirty applying machine learning to security problems. We will walk the entire pipeline from idea to functioning tool on several diverse security related problems, including offensive and defensive use cases for machine learning.
In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.
The linux kernel hidden inside windows 10mark-smith
we'll take a look at the internals of this entirely new paradigm shift in the Windows OS, and touch the boundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions, which lead to a wealth of new security challenges on Windows 10 Anniversary Update ("Redstone") machines.
People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust.
Greed for Fame Benefits Large Scale Botnetsmark-smith
A criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated.
How your smartphone cpu breaks software level security and privacymark-smith
We will discuss how two apps on a system can communicate with each other, circumventing the permission system and show how we can attack Bouncy Castles AES implementation.
Attacking Network Infrastructure to Generate a 4 Tbs DDoSmark-smith
As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks.
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
It is possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find the message plausible because they know the sender, or because it fits their expectations (context).
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
guildmasters guide to ravnica Dungeons & Dragons 5...
Technologies and Policies for a Defensible Cyberspace
1. Defense at Hyperscale:
Technologies and Policies for a
Defensible Cyberspace
Jason Healey
Senior Research Scholar, Columbia University SIPA
@Jason_Healey
2. Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
3. Not Trying to Make This an RSA Talk…
• Forget “Hyperscale” and “Defensible”
• Substitute “Internet and connected devices”
instead of “cyberspace” if that helps
4. Core Ideas
Beyond Buzzwords
• No central strategy behind infosec today
– To drive our actions
– To judge between competing public goods
– To measure our overall strategic progress against
5. Core Ideas
• “Making _________ more defensible” is the strategy
My Organization
My Sector
Cyberspace as a whole
• Being defensible means solutions with advantage
and scale
• To find future advantage and scale, we must know
what has so succeeded in the past
6. Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
7. Bad Guys Finish First
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
8. Bad Guys Finish First
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
O>D
9. Bad Guys Finish First
Lt Col Roger Schell (USAF) in 1979
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
10. Why is O>D?
A dollar (or hour) spent on attack
buys far more than a dollar spent
on defense
11. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
12. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
13. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
14. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
15. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
5. Complexity and high cost of control
Resulting complex systems: “processes
that can be described, but not really
understood ... often discovered through
trial and error” (Charles Perrow)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
16. Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
5. Complexity and high cost of control
Resulting complex systems: “processes
that can be described, but not really
understood ... often discovered through
trial and error” (Charles Perrow)
6. Troublesome humans:
Even the best and most secure
technological systems can be bypassed
when human users are lazy, confused or
downright tricked.
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
17. Outline
1. Bad Guys Finish First
2. De-buzzwording This Talk
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
18. If the problem is O>D
the solution must be D>O (or even D>>O)
Is this even possible?
19. Key Questions to Tackle D>O
Results from NY Cyber Task Force
1. What is a defensible
cyberspace and why
hasn’t it been defensible
to date?
2. What past interventions
have made the biggest
difference at the largest
scale and least cost?
3. What interventions
should we make today
for the biggest
differences at the largest
scale and least cost?
20. What Would a Defensible Cyberspace Look Like?
Results from NY Cyber Task Force
Defensible = “Defense Advantage”
1. Agile response and decision-making
2. Instrumented and measurable
3. Multi-stakeholder and collaborative
4. Well-governed and policed
5. Few externalities
6. Resilient: Recovers readily
A dollar (or hour) spent on defense buys far more than a dollar spent on attack!
21. What past interventions have made
the biggest difference at the largest
scale and least cost?
23. Game-Changing Solutions
Results of NY Cyber Task Force
Requires two components:
• Advantage: Dollar of defense must buy more
than a dollar of attack
• Scale: Dollar of defense should give 10x, 100x,
or even 1,000,000x the benefits – hyperscale
24. Least Game-Changing Solutions
• Generally impose far higher costs to the
defender than the attacker
– Technology: Compliance and other solutions
featuring checking-the-box
– Policy: Wassenaar Agreement to limit “cyber
weapons”
25. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
26. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Automated updates:
Including, but not limited to
Microsoft Update. “Once Microsoft
got vested in security they were in
the best position to do something
about it”
(Jeff Moss, Jeff Schmidt)
27. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Cloud-Based architecture:
Including related technologies like
virtualization and
containterization.
"When deployed properly, the
cloud provides several critical
security advantages over
perimeter-based models including
greater automation, self-tailoring,
and self-healing characteristics of
virtualized security."
(Ed Amoroso, Phil Venables)
28. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Encryption:
One of the few places in all
computer science where, if
properly implemented, the
defense has all the advantages
against the attacker
(Steve Bellovin)
“Effective enough that it
dissuades most from breaking it;
there are usually other, less costly
means available to the attacker.”
(Wade Baker)
29. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Secure default configurations:
“Some vendors have made some
progress here (particularly
Microsoft), and it makes a huge
difference. The most impactful
parts of the USG Configuration
Baseline are when vendors just
incorporate it into their standard
configuration.”
(Senior Government Official)
30. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Kerberos: “Changed the way the
entire world did authentication”
(Phil Venables)
Authentication beyond passwords:
Not just authentication, but a slew
of multi-factor solutions such as
algorithmic and the like
(Bruce Schneier)
31. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Mass vulnerability scanning:
“Solutions like nmap gave an easy
and fast enterprise-wide view
making fixing them far easier”
(Mike Aiello)
32. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Built-in NAT for home router:
“Built-in NAT (simple firewall) has
been extremely effective in
stopping direct front door assaults
against systems with open ports
and unknown running services.”
(Marc Sachs)
33. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Address space layout
randomization (ASLR) and kernel
memory protection:
“Measures like stackguard and
ASLR moving from research (ca
2000) to mainstream (ca 2008)
defeated slew of common attacks …
prioritizing security over
compatibility.”
(Jose Nazario, Dan Geer)
34. Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
DDoS protection:
“If an org can afford Cloudfare, etc.,
they can withstand hundreds of
Gbps and stay online … not ‘solved,’
but defenses can substantially
mitigate impact, unlike so many
other issues.”
(Richard Bejtlich)
35. Additional Possibilities: Beau Woods
I Am the Cavalry and Atlantic Council
• Language choice
– With C it's really hard to prevent errors and the failure modes are catastrophic to the software
stack. By contrast something like Ruby on Rails has the penalty for failure of a nerf football
• Controls Retirement
– We keep adding one control after another in pursuit of better defense in depth. Most
organizations are up to their neck in DiD and it's suffocating them without benefit. Old
controls like AV aren't really helping but they're costing 8-10B per year.
– Radically different IT thinking obviates some of these old expensive things by fixing root
causes not apparent ones
– Related: Retire legacy infrastructure (Phil Venables)
• MAC not DAC
– Mandatory Access Control is like whitelisting on steroids. The entire OS is hostile to untrusted
code. Especially effective in Mobile, IoT, and other places
• Software Supply Chain
– Modern software platforms are 80-90 percent assembled rather than written
– DevOps is an application of supply chain theory to agile development allowing us to run faster
and stay safer
• Software Bill of Materials
– Even the best vulnerability scanners have high degree of false positives and negatives. SBOMs
are precise and accurate
36. Possible Next-Gen Game-Changers
Ongoing Work of the NY Cyber Task Force
• Return of Formal Methods, like DARPA’s High-Assurance Cyber Military Systems
“Not unhackable completely. There are certain obvious pathways for attackers that have all been shut
down in a way that’s mathematically proven to be unhackable for those pathways.” (Arati Prabhakar)
• Compiler-Generated Software Diversity:
“After every 100th download of a given app … re-compiles that app with a strong diversity compiler
making the next 100 downloads different from the previous 100. This prevents mass exploitation,
though at a cost: it is no longer possible to confirm whether a given binary corresponds to a given source
blob.” (Dan Geer)
• Security solutions for IoT
If you think cyberspace is insecure today, just wait for the coming Internet of Things. “The first 5 billion
devices won’t be like the next 50 billion. Modern cars are computers on wheels, and cutting edge patient
care is delivered over the Internet. If we get this right, the promise will transform society; if we get this
wrong we eliminate the resilience we seek.” (Beau Woods)
• Security score cards like BitSight to drive insurance, behavior (Phil Venables)
• Data-level protection (Greg Touhill)
Hyperscale: Critical mass of cloud deployment
37. How Do Techs Become Real Game-Changers
Ongoing Work of the NY Cyber Task Force
1. Take Away Entire Classes of Attacks (Arati Prabhakar)
2. Take User out of the Solution (Bruce Schneier)
3. "Those responsible make a change that helps all their users”
(Jeff Moss)
4. “Improve security by decreasing cost of control” (Phil
Venables)
5. Minimize Consequence - agility, detection, and resilience
(Art Coviello)
38. Operational and Policy Game-Changers
Harder to Measure
• Creation of the first CERTs in late 1980s
• Operational innovations: kill chain
• Automated threat sharing – STIX, TAXII, CyBox
• Institutionalized bug bounty programs
• Volunteer groups: Conficker, NSP-SEC, I am the Cavalry
• Industry Alliances: ICASI, Cyber Threat Alliance
• Budapest Convention on cyber crime
39. Operational and Policy Game-Changers
• International norms along
with indictments and
threat of sanctions
• FireEye: massive reduction
of detected Chinese
intrusions from ~70/month
to less than 5/month
• What other solution have
we ever implemented for
such success at so little
cost?
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
40. Operational and Policy Game-Changers
• USG policy of “bias” to
not retain vulnerabilities,
but disclose to vendors
• USG “discloses far more
vulnerabilities than it
decides to keep secret, in
one year keeping only
about two for offensive
purposes out of about
100 the White House
reviewed”
VEP Process - 2014 to Present
41. Operational and Policy Game-Changers
• USG policy bias to disclose to US companies when
they’ve been pwned
• Result: Law Enforcement now #1 source for breach
notification (esp for botnet takedown), per Verizon
http://www.verizonenterprise.com/verizon-insights-
lab/dbir/2016/
42. Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
43. Implications
• Only potential futures aren’t just
– O>D (continued status quo)
– D>O (defense advantage)
• Could be far worse, O>>D
– or far better, D>>O
• Atlantic Council and Zurich Insurance Group
modeled the economic impact of getting it right
(or horribly wrong)
44. Possible Futures…
Cumulative Annual Benefits and Costs
Economic Impact Through 2030
Best case: ~$30 trillion
Worst case: ~$90 trillion
Difference in government control less
impactful, still meaningful: $30 trillion
Best case is “Cyber Shangri-La” where D>O
Worst case is “Clockwork Orange Internet” where O>>D
45. If Future Possibilities are “Fat Tail Distribution”
Then Far More Potential Variability
Expected Future
Regular standard deviation
Lower chance of massive, unexpected events
Expected Future
Variance not bounded
Far higher chance for
surprise
46. Measuring Defensibility
• Verizon Data Breach Investigations Report
– “Detection deficit … is getting worse”
– “Attackers are getting even quicker at compromising their victims”
– Slight improvements in how quickly defenders detect compromises
• Commerce: 45 percent of US online households have stopped some
sensitive online transactions
• Index of Cyber Security
47. For a More Defensible Cyberspace
And a $120 Trillion Payoff
• Advantage: Dollar of defense must buy more
than a dollar of attack
• Scale: Dollar of defense should give 10x, 100x,
or even 1,000,000x the benefits – hyperscale